Hey, having some spyware related problems with StarWars Galaxies....

I would appreciate any help identifying and removing said spyware. Thanks in advance, here is my HJT Log.

 

Sorry for posting the HJT log before being asked, but I hope I did it correctly.

 

Not the worst one I've seen but close.

read this and follow it like you had a gun to your head..
READ ME FIRST: Basic Spyware, Trojan And Virus Removal.

do the alternate scans too.

It is alot to do, but it's either this or spyware riddled machine.

 

Ok, I did all that, but I cannot eliminate a Virtumundo Spyware....

I am attaching a new HJT log, please help me remove this...

 

Hi Chiss359,

Welcome to the wonderful world of StopGuard-related malware!

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and END them, if possible:
libbas.exe
runsrv.exe
waveun.exe

NEXT:
Look in C: > WINDOWS > PREFETCH & Delete waveun.exe ( or any waveun or nuevaw entries). If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

NOW:
Run HijackThis and Check the Boxes for the Following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nuevaw.dat

O4 - HKLM\..\Run: [*libbas] C:\WINDOWS\Cursors\libbas.exe

O4 - HKLM\..\Run: [*runsrv] C:\WINDOWS\runsrv.exe

O4 - HKLM\..\Run: [*waveun] C:\WINDOWS\Fonts\waveun.exe

O4 - HKLM\..\RunOnce: [*waveun] C:\WINDOWS\Fonts\waveun.exe rerun

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Fonts\waveun.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if they remain:

C:\WINDOWS\Cursors\libbas.exe
C:\WINDOWS\runsrv.exe
C:\WINDOWS\Fonts\waveun.exe

THEN:
Use Windows Explorer to run a search of your computer for:
waveun
nuevaw
ibbas
runsrv
bkinst

and DELETE the related files. (We especially want to get rid of waveun.ini & waveun.dat & waveun.bak AND nuevaw.ini & nuevaw.dat & nuevaw.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then , as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let us know of any problems that you may have encountered with the above instructions. I'll check back when I get a chance.

Best luck
PP

 

Thanks, that seems to have worked, I am finally free of Virtumundo. I appreciate your help so much, I can access programs now that haven't worked in a long time.

 

You're welcome! Happy we could help you get back on track

Please take a look at Chaslang's suggestions: How to Protect yourself from malware!

Best,
PP

 

I'm having the exact same problem, and I've tried the instructions for two related Major Geeks threads including this one. I've located that this IS a Virtumundo Malware on my computer, but everything I've tried has still failed to work. I've posted my HJT for your convenience. Thank you tons in advance for your help. I've been working on this problem for hours and I'm really at my wits end here.

 

You hav a lot of crap in your log that needs to be dealt with. Also, you are running HijackThis Improperly!

Please look in Add or Remove Programs and Uninstall Wintools, Viewpoint Toolbar and anything else that looks fishy.

Then, take a spin through the Cleanup Tutorial HERE:
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

Note the steps that you can and cannot complete. Please make sure that you are in Safe Mode with System Restore OFF and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back with the results from the above instructions and send us a HijackThis Log. Please follow the directions below carefully!!

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis! Please do this!!!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Please start a NEW THREAD for your problem & somebody will check back. Use the thread starter in the upper left.

Best luck
PP

 

Sorry, I was using an older verson of HJT when I ran that. He is another one with the most updated version of HJT. I again went through the steps outlined, with no success.

 

Just saw your reply. Thank you. I'll do the items you requested and start a new thread in a few moments!